Scammers Impersonate Trusted Brands in Gambling Ads to Drive Casino Traffic

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Scammers are hijacking trusted brand names to push people toward online casinos unrelated to those companies. Instead of building fake bank sites or phishing emails, they exploit the trust people place in familiar logos.

The scam starts simply. A consumer scrolling Facebook, Instagram, TikTok, or Threads sees an ad claiming a familiar brand, such as a bank, retailer, or streaming service, has launched its own slots or casino game.

Some ads even show a testimonial from someone who supposedly won big playing “Brand Slots”.

Netcraft said in a report shared with Cyber Security News (CSN) that the operation spans dozens of impersonated brands across several countries, pointing to a coordinated effort.

Clicking the ad takes the victim to a landing page dressed up to look like an official app store listing, complete with the brand’s logo and a fabricated developer name.

From there, users are guided to install what looks like an app but is actually a Progressive Web App, a browser shortcut disguised as a native application.

Once opened, that shortcut quietly loads an unrelated gambling site through affiliate tracking links, generating a payout for whoever ran the ad. Affiliate platforms reportedly pay between $50 and $350 for every player who signs up and deposits money.

Scammers Impersonate Trusted Brands

Netcraft found three approaches used across these campaigns, each showing an escalating level of effort. The simplest version slaps a brand name onto a generic slots ad, relying on ordinary people in everyday scenes to sell the idea.

A more elaborate version lifts a brand’s actual logo, color scheme, and forged screenshots of its app. One example targeting Monzo showed a fabricated account balance next to text declaring the bank had “officially launched online slots,” complete with a real Monzo sort code for legitimacy.

Image-based scam ad (Source – Netcraft)

The most convincing tactic uses AI generated promotional videos filmed to look like they were shot outside real brand locations, featuring fake employees and authentic branding.

Examples of AI-generated promotional videos (Source – Netcraft)

For viewers who recognize the company, these clips are hardest to dismiss as fake.

Examples of fake Play Store listing examples (Source – Netcraft)

A smaller number of campaigns instead show a spin wheel game that always wins, pushing users to “claim” their prize by installing the disguised app.

Some ads display one URL, such as a Google Play address, while actually leading elsewhere.

Netcraft even found cases where a domain built to impersonate one brand was later used to run ads for a completely different brand, hinting operators recycle infrastructure across campaigns.

Brands Being Impersonated and Who Is at Risk

The brands caught up in this scheme span several industries. UK banks like Monzo, Revolut, and Barclays have been impersonated, alongside household names such as Tesco and the Irish National Lottery, plus global names including Amazon, Netflix, and Facebook.

While most identified ads target UK consumers, Netcraft also spotted variants in German and Spanish, along with one offering a bonus in Canadian dollars, pointing to international reach.

Once installed, the fake app keeps showing the impersonated brand’s name in the browser title bar even as it loads an unrelated casino site underneath. Push notifications are also sent to nudge users into finishing registration, keeping the illusion alive after install.

Because the casino sites function as real, working gambling platforms with genuine games and bonuses, they do not directly impersonate any brand, making them harder to take down than the ads and landing pages.

Netcraft noted it could not confirm whether these linked casinos hold proper licensing for their target markets.

Checking whether an “install” button leads to a genuine app store, rather than a browser shortcut, is a simple way to catch this scam early.

Netcraft has published indicators of compromise tied to this campaign in a public GitHub repository, giving researchers and platforms a way to track and block the infrastructure behind it.

Indicators of Compromise (IoCs):-

Type Indicator Description
Domain 345rodeoslot[.]com Gambling site loaded inside a PWA disguised as “Amazon Slots” 
Domain revvo-online[.]website Casino endpoint linked to the fake app campaign 
Domain tescogames[.]com Casino/landing domain used in Tesco-branded scam ads 
Domain monzoslots[.]life Landing page impersonating Monzo for a fake slots product 
Domain rewardsmonzo[.]website Domain used in Monzo-branded scam campaign 
Domain topstatus[.]site Generic non-branded landing domain used for the scam 
Domain optimismphantasm[.]shop Generic non-branded landing domain used for the scam 
Domain prideeuphoric[.]shop Generic non-branded landing domain used for the scam 
Domain seekerlucis[.]shop Generic non-branded landing domain used for the scam 
Domain blinkd[.]com Casino endpoint identified in the campaign 
Domain spinlynx36[.]com Casino endpoint identified in the campaign 
Domain roulettino12[.]com Casino endpoint loaded via a fake app titled “Amazon Slots” 
URL play[.]monzo[.]com (spoofed display URL) Fake display URL impersonating Monzo’s real domain in ad metadata 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.